0

I'm setting up an OpenVPN server. I want it to redirect any incoming connection (except for ports 22 (ssh) and 1194 (the VPN server itself)) to a client connected to the VPN.

The VPN server will live at vpn.example.com The client is at 10.8.0.2, the VPN gateway is 10.8.0.1

How do I setup a DMZ to do this ?

Footnotes :

I found how to redirect a single port over the VPN here: Port forwarding with OpenVPN

The gist is to run iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p tcp --dport PORT_TO_REDIRECT -j DNAT --to-destination 10.8.0.2

However, this only works for one port at a time, I woud love a solution like --dport *

WayToDoor
  • 126
  • 6

2 Answers2

1

this might already been answered anyways but you can use this in your /etc/network/interfaces

 post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/8' -o eth0 -j MASQUERADE
 post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/8' -o eth0 -j MASQUERADE

this rule set the complete nat for any ports this can be restricted by set to i. e. 10.8.0.3/32 instead of 10.0.0.0/8 for a single ip to nat any Port on eth0 which have to be replaced by your interface

Moreover to forward a specific portrange you can use

--dport 20000:22000

in this example port from 20 till 22k will be forworded

djdomi
  • 1,599
  • 3
  • 12
  • 19
1

If you care about redirecting only tcp to your client, you could use:

iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p tcp --dport ! 22 -j DNAT --to-destination 10.8.0.2

That will redirect all tcp packets except those to port 22 (sshd). That should work as long as you're running OpenVPN on udp (the usual case). In case you want to redirect udp also, add:

iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p udp --dport ! 1194 -j DNAT --to-destination 10.8.0.2

And then there's icmp: you'll likely want to redirect at least some of it, too.

Rather than specifying the traffic (almost all of it in your case) to redirect, it may be simpler to invert the problem:

iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p udp --dport 1194 -j RETURN
iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p tcp --dport 22 -j RETURN
iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -j DNAT --to-destination 10.8.0.2

The -j RETURN means to stop processing the current chain. The first 2 rules above define cases to "short-circuit" your redirect rule. Anything not matched by the first 2 rules then gets redirected.

One handy iptables reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#RETURNTARGET

fmyhr
  • 161
  • 9